As industry professionals recognise that data has become both an asset and a liability, securing, managing and ensuring only the necessary personnel have access to the required data has become just as critical, if not more so, than actually managing the lifecycle of the data itself.
While mass amounts of data were migrated to cloud platforms in the past year to enable efficient remote access during the pandemic, organisations were tasked with finding solutions for expanding their existing governance practices beyond the traditional IT environments. This includes implementing standards for managing data and entitlements, and making data security all-encompassing, all while ensuring staff can operate as close to business-as-usual as possible.
The pandemic drove a major uptick in remote working, in turn exponentially increasing risk, with everyone attempting to enable remote access for their employees at maximum speed. Mismanaged entitlements exist regardless of employees’ physical location, but when employees were in an office, there was a natural incentive to adhere to office rules and to not do bad things with the unmanaged entitlements that may exist.
When employees moved to working-from-home environments, that natural incentive disappeared. With the speedy shift to cloud that we noticed during the transition to remote work, the entitlements mess simply travelled to an area where the data doesn’t live within an employee’s four walls. The risk is now exponentially greater.
The remote workforce lured more organisations to take advantage of cloud capabilities, using third-party vendors like Office 365 and AWS. Cloud benefits such as long-term cost savings, collaboration capabilities and scalability are undeniable, but organisations need to make sure they are abiding by stringent regulatory requirements, especially within highly regulated industries such as financial services. With new technology in the cloud, auditors are starting to poke around and assess these systems much earlier than they traditionally have in the past.
This means that infrastructure departments are going to have major challenges when they find out that they are not compliant, even with internal policy, and security teams will have to significantly expand their resources to investigate and prove security compliance across the board. The reality is that a lot of companies are putting more focus on making sure their employees can work remotely, leaving the access control piece as an afterthought. Organisations are now realising that while a “lift and shift” approach may have been immediately necessary, they must now revisit the topic of standardising permissions in these new environments and ensure a least privileged access model is strictly adhered to.
Executives and leadership teams across all organisations need to make sure they are prioritising and proactively implementing an effective data governance strategy as the data landscape continues to evolve. We are also increasingly seeing more software companies focus on the data governance and security space, which tells us this is a real pain point and an urgent need across many enterprises.
What a successful data governance strategy needs
It starts with analysing every part of your data, providing an inventory of all these assets and organising the metrics and analytics in a consumable fashion. Additionally, violations to core security policies must be highlighted, i.e., open or excessive permissions. Accurate ownership across the data is equally important, especially as organisations are building out their evergreen processes such as regular entitlement reviews. Finally, defining and implementing a Target Operating Model, all while remediating key risks, must be part of the process in an effort to ensure you stop the bleeding while having a solution to ensure your environment stays secure and compliant. The real risks that will get your organisation on the front page of a newspaper are needle-in-the-haystack vulnerabilities. It’s incredibly important to go wide and deep, as many of the issues surrounding data breaches, causing financial and reputational harm, are buried deep in the data repositories and cannot be found and fixed with superficial solutions.
Not all companies have the same needs for compliance, but all companies have a need for security, and therefore have a need for a governance policy. We are in a world where data is only going to continue to grow. Knowing where it resides, who has access and what is being done with it needs to be understood. Whether for compliance or security or both, companies must have a plan in place to deal with their information.
Data is a critical asset and needs to be protected. Specifically, entitlement sprawl across the data platforms is a known issue that is top of mind with CIOs and CISOs. In order to solve the entitlement issues, companies need to have visibility, understand clear and not so clear violations, have a process to remediate in an automated fashion and develop a communicated and constant evergreen process to deal with the dynamic nature of entitlements.
Re-evaluate your data governance strategies now